SUPEE-6788 Patch Bundle

This patch bundle protects your Magento installation against several potential threats, and includes a new configuration setting that helps manage the backward compatibility of the patch for extensions and customizations. The first patch in the bundle was included in the Magento Community 1.9.2.1 release. However, versions of Magento Community prior to 1.9.2.1 need this critical patch.

Important! This patch breaks backward compatibility, and can impact extensions and customizations.

Admin Routing Compatibility Mode

To help manage the compatibility of extensions and customizations, the following setting has been added to the Admin > Security configuration:

Allows you to verify that all extensions and customizations are compatible before the patch is enabled.

Enable

(Default Setting) Partially enables an installed patch to allow extensions or customizations with older modules to continue working in an unsecured state while the code is updated. When all impacted extensions are updated, set Admin Routing to “Disable” to fully enable the security patch.

Disable

Fully enables an installed security patch. Any extensions with older modules will not work correctly.

We recommend that you install the patch first in the test environment, and try disabling the compatibility mode. If you discover issues, set Admin Routing Compatibility back to “Enabled." If your extensions and customizations work correctly, you can deploy the fully-enabled patch to production. If you discover issues accessing extensions or customizations from the Admin, set Admin Routing Compatibility Mode to “Disabled” before deploying the patch to production. Then, update the impacted customizations and extensions as needed.

We urge you to enable Admin Routing Compatibility Mode as soon as possible to protect your installation from automated attacks. To learn more, see the technical details in the Security Center.

Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.

Error messages generated during the Magento installation, or during a failed extension installation, can expose the Magento configuration and database access credentials. In most cases, the database server is configured to prevent external connections. In other cases, the information can be exploited, or tied to another attack.

Email template filter functionality can be used to call blocks and expose customer information such as last orders, or integration passwords. Although safe when used internally by Magento, it has been reported that this functionality might be used by some external extensions to process blog comments and other user input. Such use of the email template filter functionality can expose protected information on the storefront. To learn more, see the technical details in the Security Center. See also: Content Permissions.

Magento can be forced to read XML via API calls that contain ENTITY references to local files, which makes it possible to read password or configuration files. Although Zend Framework filters out ENTITY references, they can be encoded as multibyte characters to avoid detection. To learn more about this Zend Framework issue, see: Zend Changelog 1.12.14.

The addFieldtoFilter method does not escape the field name. Although core Magento functionality is not affected, this issue might impact third-party extensions, such as those used for layered navigation. Such extensions might be exploited from the storefront to execute any SQL queries. To learn more, see the technical details in the Security Center.

The cron.php script is available for anyone to call. Because the script can make command line functions calls, it becomes a potential target for the Shellshock vulnerability. (Your server should already be protected against Shellshock.)

Additionally, because the command that is passed to shell is not escaped, a directory with the same name as a shell command can be used to execute code.

Such an attack requires access to create directories with arbitrary names, such as hosting panel.

Although the severity is ranked as high, the attack is not exploitable by itself.

Custom option values are not cleared when the custom option type is switched. This makes it possible to inject malicious serialized code into a custom option of the “text” type, and execute it by switching the custom option type to “file.” This remote code execution attack requires the store to use custom options, and have an administration account with access to catalog/products.

Additionally, the manipulation of custom options from the storefront makes it possible to read system files. To learn more, see the technical details in the Security Center.

It is possible to put unvalidated information, including code, into error report files. When combined with Admin access to the catalog, an attacker can create a fake downloadable product that executes PHP code that was previously uploaded to the server.

To fully execute the attack, the attacker must have valid credentials for an Admin account that has full permission to access product resources.

Although this patch is disabled by default, it helps protect against automated attacks. By calling a module directly, an attacker can force the Admin Login page to load in the browser. The Admin URL appears in the address bar, which makes it easier to launch a password attack. To learn more, see the technical details in the Security Center.

To help manage the compatibility of extensions and customizations, the Admin Routing Compatibility Mode setting has been added to the Admin > Security configuration.

Follow the procedure outlined at the beginning of the release notes to verify that your extensions and customizations work correctly. If issues are discovered, you can install the patch with Admin Routing Compatibility disabled to give you the opportunity to update any impacted extensions or customizations.

We urge you to enable Admin Routing Compatibility Mode as soon as possible to protect your installation from automated attacks. To learn more, see the technical details in the Security Center.

The token that is used to reset a password is passed with a GET request, and is not canceled after use. As a result, the token can be leaked through the referrer field to all external services that are called on the page, such as image servers, analytics, and ads. The token might then be reused to steal the customer’s password.

The Magento dev folder, including functional tests, lacked a proper .htaccess file to prevent browser access. As a best practice, all files and directories that are not intended for public view should be protected.

Product(s) Affected:

Magento CE from 1.9.2.0 to 1.9.2.1

Magento EE from 1.14.2.0 to 1.14.2.1

Fixed In:

CE 1.9.2.2 and EE 1.14.2.2

Reference ID:

APPSEC-1124

Reporter:

Internal

Was this helpful?

A quick rating takes only 3 clicks. Add a comment to help us improve Magento even more.